The regulation seems to have plugged the severe security concerns raised by citizens about how their data is being collected and managed by various organizations. In doing so, it has made the data privacy rights of the EU citizens as sacrosanct and gave them the right to know how their data is handled and also the power to get it deleted on choice.
It has been hailed as significant legislation that ensured organizations had to comply with some stringent regulations in handling customer data. The European Union (EU) General Data Protection Regulation (GDPR) that came into effect from 25th May 2018, in the EU is unique in that it also affects organizations outside the EU that handle EU citizen data.
The regulation seems to have plugged the severe security concerns raised by citizens about how their data is being collected and managed by various organizations. In doing so, it has made the data privacy rights of the EU citizens as sacrosanct and gave them the right to know how their data is handled and also the power to get it deleted on choice.
This regulation posed a challenge for many enterprises that had to ensure compliance or face legal consequences. The compliance was not just dependent on their processes and IT infrastructure, as many large enterprises had already migrated to the Cloud. This meant that the organizations had to ensure that their Cloud service providers were GDPR compliant; that was the challenge that CISOs dealt with.
For the Cloud Service providers, it meant that they had to quickly rise to the challenge and put in checks and balances and make the necessary changes to ensure compliance. Unless they could prove that they were GDPR compliant, they would lose their customers (revenue). It wasn’t just that; it also meant that they could be held liable for any breaches, as the organizations were answerable to the citizens and the authorities, and would in turn hold them liable. The consequences of a breach were heavy, with 2 to 4% of the annual revenue or up to €20 million as fines, depending on the gravity.
So, most of the Cloud Service providers scrambled to ensure that they were GDPR compliant, as that became a major deciding factor for organizations choosing their Cloud Computing partner. Considering that the privacy and security of the data were important to all organizations, being GDPR compliant was a good step for Cloud Computing. However, many operational challenges had to be overcome to achieve this status.
Even before the GDPR, the security of data has always been a major concern for the organizations that moved to the Cloud. So, most organizations and their Cloud partners looked at the GDPR as just another step to strengthening the same. Typically, the security of data in Cloud computing is achieved through a multi-pronged approach like Physical security, Firewalls, Intrusion detection systems, Monitoring, metrics, and logs, Encryption, Data governance. These span across the multiple layers through which the data is collected, stored, accessed, audited, and more.
The possibility of data breaches could happen at any of these layers; hence the Cloud Computing service providers had to ensure that the GDPR compliance related checks and balances were applied at every possible step. They had to bring in “Privacy By Design” to ensure this to retain the confidence of the enterprises and their customers. Privacy By Design meant enterprises and Cloud Service providers had to ensure it in the app design to the employees who handled it. Creating awareness among employees about the importance of Data Privacy also was a major factor to be considered as sometimes breaches happened due to silly oversight as well.
The very nature of the Cloud Computing meant that certain specific challenges had to be addressed to ensure this. Bringing in data transparency to the end users, was important as they could demand to see how their data is collected, stored, and used. The GDPR mandated organizations (Data Controller) to provide the citizens the right to view their data in a clear and understandable format and to delete it, if asked to do so.
It was also made clear that any data could also be used for the purpose for which it is collected and data retention policies also had to be in place. This meant that the organizations had to think through their Data Governance policies and ensure that they were mapped into the various layers of the Cloud Computing security features. The Cloud partner contract would also have to cover the data retention and purging terms.
The real challenge came in ensuring the data sovereignty part of the GDPR; it necessitated that all data be stored within the EU or within a jurisdiction with similar levels of protection. With most Cloud Service providers having their data centers spread across the globe, this was the major challenge that enterprises had to solve. The matter was solved by providing the organizations the right to choose the country (data center location) in which their data would be stored. This choice became a major factor for enterprises to choose their Cloud Computing partner, as many other governments also started specifying this factor. Cloud contracts now specify clearly where the data is stored and that it would not be moved around without the knowledge of the Data owner or Controller, which is the enterprise.
The GDPR mandate to ensure data privacy and sovereignty can be assured by enterprises through a Data Protection Impact Assessment (DPIA). The DPIA ensures “Protection by Design” for the enterprises, wherein an impact study is conducted on any new project to assess the risks involved.
The first paragraph of the Article 35 of GDPR states: “1Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. 2A single assessment may address a set of similar processing operations that present similar high risks”. And this is what DPIA helps enterprises to achieve so they meet the required levels of compliance and can avoid breaches and minimize their liability. This would involve the Cloud service provider’s service as well if the enterprise is planning to run the project in the Cloud.
The first Para of the Art. 34 GDPR which is about the communication of a personal data breach to the data subject states –“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay”. It is important for enterprises to, therefore ensure that their data governance policies cover this important communication flow. Moreover, it should also be enforced through their Cloud Service provider agreements and their security and communication policies. Leaks of breaches can prove to be extremely risky for their reputations, not to mention the steep financial implications as well.
So, overall, it appears that the GDPR helped streamline some important security aspects of the Cloud services, that have only helped the industry to tweak their offerings. Besides, when Privacy and Protection are by design, security is assured to a great extent, and both enterprises and the Cloud service providers can afford to breathe easy.
